CryptSvc not matched by Windows 7 Firewall rule
- by theultramage
I am using Windows Firewall in conjunction with a third-party tool to get notified about new outbound connection attempts (Windows Firewall Notifier or Windows Firewall Control).
The way these tools do it is by setting the firewall to deny by default, and to add an auditing policy to log blocked connections into the Security event log. Then they watch the log, and display notification about newly added entries.
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable
With this configuration in place, I now need to craft outbound allow rules for applications and system services. Here is the rule for CryptSvc, the service frequently used for certificate validation and revocation checking:
netsh advfirewall firewall add rule
name="Windows Cryptographic Services" action=allow enable=yes profile=any
program="%SystemRoot%\system32\svchost.exe" service="CryptSvc"
dir=out protocol=tcp remoteport=80,443
The problem is, this rule does not work. Unless I change the scope to "all programs and services" (which is really unhealthy), connection denied events like the following will keep appearing in the security log:
Event 5157, Microsoft Windows security auditing.
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 1476 (<- svchost.exe with CryptSvc and nothing else)
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 192.168.0.1
Source Port: 49616
Destination Address: 2.16.52.16
Destination Port: 80
Protocol: 6 (<- TCP)
To make sure it's CryptSvc, I have let the connection through and reviewed its traffic; I also configured CryptSvc to run in its own svchost instance to make it more obvious:
;sc config CryptSvc type= share
sc config CryptSvc type= own
So... why is it not matching the firewall rule, and how to fix that?
