I'm looking to configure the Windows Firewall to block outbound connections by default. However, I'm concerned about potentially breaking services or applications that need access. Windows Firewall doesn't have an audit mode, so it doesn't tell you which ports are in use for whitelisting. I've thought about gathering a list of apps and checking online for the ports they need, but I'm worried I might miss important Windows services that also require open ports. Has anyone successfully set this up? Any strategies besides doing extensive testing?
2 Answers
A good starting point is to enable Windows Firewall logging. This way, you can track successful outbound connection attempts and review the logs later. You could even export these logs to a centralized system for analysis.
You can use Resource Monitor or the command `netstat -an | find "LISTENING"` to see what outbound connections are active and by which processes. In my experience, managing deny-all at the network's edge and whitelisting specific applications directly on the host tends to work better. Tools like Applocker or WDAC are great for this.
Thanks for the tip! Just a heads-up though, Resource Monitor might not catch short-lived connections – like opening a browser to check for updates may go unnoticed.