Windows default ruleset, and Glasswire

Windows by default creates a large set of “allow” rules for apps/services. I have come to realize that “NONE” of those windows firewall rules are necessary or even helpful. and you can safely delete them (inside windows firewallcontrol panel) Glasswire will create it’s own rules which would have come “after” the windows rules anyway. And windows default rules are not setting any “Disallow” which means by default windows hasn’t actually done any fire walling.
Also because of the Windows Service hardening (feature?) windows will “still” create a series of hidden “allows” to various apps they don’t want you to block. These “allows” lead to remote desktop functionality (and worse) which cannot be blocked by normal means. (even using GW, or any other firewall tool).

Do not be under the false belief that windows that unclicking “allow remote desktop” will disable it. OR even the fact that windows home build supposedly does not have even have Remote desktop functionality. I can tell you that it indeed it is still fully enabled internally.

When your computer is IDLE and the display has turned off. Is Prime Time for these services to kick in. Of all the FireWalls out there, only GlassWire had the functionality to remember and inform you what your computer was doing when it was just sitting there. You will be surprised you computer goes to town by no less than 10 services when idling on a stock windows machine. This is even MORE true for windows machines that come preloaded with the manufacturer’s own tools.

i recommend you start with a clean slate on the firewall when you install Glasswire. Meaning only Glasswire’s rules are in there. And run in “ask to connect”. Yes your going to get bombarded for a few days with notifications. If you don’t recognize the app/service “disallow it”. Don’t worry, you can always just allow anything back in a second if you think you have blocked something important. After a few days this will all calm down and it will run fairly quietly. This however DOES NOT mean your safe.

Another important step is after your computer has been idle for awhile. to review the services/apps and destination ip’s your computer visited when supposedly doing nothing which glasswire will tell you. Be sure to click “more” and you will be surprised your computer is going all over the world without your permission. Yes, there will be things in there for windows updates. In most cases, your not going to be able to just block a services/app to stop the traffic. And it is also not sufficient just to block an individual ip. Because 99% of the time the offending traffic has a range of ip’s to choose from. You can use a variety of network tools online to determine the ip range by just feeding it the single ip. and then you can block the ip range by manually entering on the cmd line. In this example I am blocking “everything” the offending server can take.

netsh advfirewall firewall add rule name=“New_Rule” Dir=Out Action=Block RemoteIP=13.54.0.0/16

This defeats “all” window service hardened firewall entries attempting to keep a service talking. And anything else in the system trying to bypass you. you can just as easily remove the rule. by…

netsh advfirewall firewall delete rule name=“New_Rule”

Glasswire will happily co-exist with both your rules and it’s rules. Although it will not show you your rules within the tool. Do not worry you cannot damage or hurt Glasswire by doing your own rules. It will silently resurrect all it’s rules on it’s own after every reboot anyway.

Use Glasswire to forensically determine what your computer is talking to. And GW will block based on services/apps but it will “not” block any windows services deemed by msft to be essential. Use the netsh in these circumstances.