How to prevent Firefox and Chrome from opening ports in the firewall?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).
Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:
I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.
I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.
I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.
Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?
I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.
Steps to reproduce:
Install Firefox
Install Chrome
Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")
On the left, select "Inbound rules"
A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"
When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed
Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.
Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.
Delete the three rules mentioned above
Wait until a Firefox update is available and install it
Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing
Wait until a Chrome update is available and install it
Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing
Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.
Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.
chrome firefox windows-10 windows-7
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
asked Mar 15 at 8:04
BinarusBinarus
248211
add a comment |
I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).
Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:
I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.
I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.
I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.
Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?
I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.
Steps to reproduce:
Install Firefox
Install Chrome
Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")
On the left, select "Inbound rules"
A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"
When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed
Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.
Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.
Delete the three rules mentioned above
Wait until a Firefox update is available and install it
Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing
Wait until a Chrome update is available and install it
Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing
Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.
Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.
chrome firefox windows-10 windows-7
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
asked Mar 15 at 8:04
BinarusBinarus
248211
1
All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?
– Steffen Ullrich
Mar 15 at 8:15
Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.
– Binarus
Mar 15 at 8:20
@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested innetstator similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).
– Binarus
Mar 15 at 8:38
1
Related post on Super user
– Sefa
Mar 15 at 9:57
Thanks for the link - I didn't see that before. Same issue, and no solution ...
– Binarus
Mar 15 at 13:43
add a comment |
I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).
Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:
I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.
I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.
I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.
Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?
I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.
Steps to reproduce:
Install Firefox
Install Chrome
Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")
On the left, select "Inbound rules"
A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"
When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed
Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.
Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.
Delete the three rules mentioned above
Wait until a Firefox update is available and install it
Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing
Wait until a Chrome update is available and install it
Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing
Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.
Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.
chrome firefox windows-10 windows-7
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
asked Mar 15 at 8:04
BinarusBinarus
248211
I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).
Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:
I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.
I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.
I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.
Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?
I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.
Steps to reproduce:
Install Firefox
Install Chrome
Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")
On the left, select "Inbound rules"
A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"
When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed
Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.
Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.
Delete the three rules mentioned above
Wait until a Firefox update is available and install it
Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing
Wait until a Chrome update is available and install it
Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing
Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.
Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.
chrome firefox windows-10 windows-7
chrome firefox windows-10 windows-7
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
asked Mar 15 at 8:04
BinarusBinarus
248211
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
asked Mar 15 at 8:04
BinarusBinarus
248211
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
edited Mar 15 at 9:05
SeeYouInDisneyland
1,174519
1,174519
asked Mar 15 at 8:04
BinarusBinarus
248211
asked Mar 15 at 8:04
BinarusBinarus
248211
asked Mar 15 at 8:04
BinarusBinarus
248211
248211
1
All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?
– Steffen Ullrich
Mar 15 at 8:15
Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.
– Binarus
Mar 15 at 8:20
@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested innetstator similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).
– Binarus
Mar 15 at 8:38
1
Related post on Super user
– Sefa
Mar 15 at 9:57
Thanks for the link - I didn't see that before. Same issue, and no solution ...
– Binarus
Mar 15 at 13:43
add a comment |
1
All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?
– Steffen Ullrich
Mar 15 at 8:15
Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.
– Binarus
Mar 15 at 8:20
@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested innetstator similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).
– Binarus
Mar 15 at 8:38
1
Related post on Super user
– Sefa
Mar 15 at 9:57
Thanks for the link - I didn't see that before. Same issue, and no solution ...
– Binarus
Mar 15 at 13:43
1
1
All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?
– Steffen Ullrich
Mar 15 at 8:15
All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?
– Steffen Ullrich
Mar 15 at 8:15
Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.
– Binarus
Mar 15 at 8:20
Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.
– Binarus
Mar 15 at 8:20
@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in
netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).– Binarus
Mar 15 at 8:38
@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in
netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).– Binarus
Mar 15 at 8:38
1
1
Related post on Super user
– Sefa
Mar 15 at 9:57
Related post on Super user
– Sefa
Mar 15 at 9:57
Thanks for the link - I didn't see that before. Same issue, and no solution ...
– Binarus
Mar 15 at 13:43
Thanks for the link - I didn't see that before. Same issue, and no solution ...
– Binarus
Mar 15 at 13:43
add a comment |
2 Answers
2
active
oldest
votes
One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".
The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).
The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.
The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.
A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.
You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
2
Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed inservices.msc, at least on my clients.
– Binarus
Mar 15 at 13:33
Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).
– CBHacking
Mar 15 at 21:33
add a comment |
You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.
I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:
- group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security
- automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade
- use a dedicated firewall (a dedicated machine) and implement the firewall rules there.
- maybe others I could not imagine...
Which one will be the more relevant will heavily depend on the real use case...
The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.
I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...
– Binarus
Mar 15 at 13:20
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205416%2fhow-to-prevent-firefox-and-chrome-from-opening-ports-in-the-firewall%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".
The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).
The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.
The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.
A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.
You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
2
Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed inservices.msc, at least on my clients.
– Binarus
Mar 15 at 13:33
Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).
– CBHacking
Mar 15 at 21:33
add a comment |
One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".
The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).
The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.
The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.
A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.
You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
2
Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed inservices.msc, at least on my clients.
– Binarus
Mar 15 at 13:33
Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).
– CBHacking
Mar 15 at 21:33
add a comment |
One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".
The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).
The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.
The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.
A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.
You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".
The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).
The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.
The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.
A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.
You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
edited Mar 15 at 21:31
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
answered Mar 15 at 10:38
CBHackingCBHacking
11.5k21929
11.5k21929
2
Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed inservices.msc, at least on my clients.
– Binarus
Mar 15 at 13:33
Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).
– CBHacking
Mar 15 at 21:33
add a comment |
2
Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed inservices.msc, at least on my clients.
– Binarus
Mar 15 at 13:33
Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).
– CBHacking
Mar 15 at 21:33
2
2
Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in
services.msc, at least on my clients.– Binarus
Mar 15 at 13:33
Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in
services.msc, at least on my clients.– Binarus
Mar 15 at 13:33
Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).
– CBHacking
Mar 15 at 21:33
Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).
– CBHacking
Mar 15 at 21:33
add a comment |
You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.
I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:
- group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security
- automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade
- use a dedicated firewall (a dedicated machine) and implement the firewall rules there.
- maybe others I could not imagine...
Which one will be the more relevant will heavily depend on the real use case...
The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.
I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...
– Binarus
Mar 15 at 13:20
add a comment |
You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.
I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:
- group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security
- automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade
- use a dedicated firewall (a dedicated machine) and implement the firewall rules there.
- maybe others I could not imagine...
Which one will be the more relevant will heavily depend on the real use case...
The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.
I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...
– Binarus
Mar 15 at 13:20
add a comment |
You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.
I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:
- group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security
- automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade
- use a dedicated firewall (a dedicated machine) and implement the firewall rules there.
- maybe others I could not imagine...
Which one will be the more relevant will heavily depend on the real use case...
The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.
I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.
I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:
- group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security
- automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade
- use a dedicated firewall (a dedicated machine) and implement the firewall rules there.
- maybe others I could not imagine...
Which one will be the more relevant will heavily depend on the real use case...
The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.
I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
answered Mar 15 at 10:05
Serge BallestaSerge Ballesta
17.6k33062
17.6k33062
Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...
– Binarus
Mar 15 at 13:20
add a comment |
Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...
– Binarus
Mar 15 at 13:20
Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...
– Binarus
Mar 15 at 13:20
Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...
– Binarus
Mar 15 at 13:20
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205416%2fhow-to-prevent-firefox-and-chrome-from-opening-ports-in-the-firewall%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?
– Steffen Ullrich
Mar 15 at 8:15
Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.
– Binarus
Mar 15 at 8:20
@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in
netstator similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).– Binarus
Mar 15 at 8:38
1
Related post on Super user
– Sefa
Mar 15 at 9:57
Thanks for the link - I didn't see that before. Same issue, and no solution ...
– Binarus
Mar 15 at 13:43