Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Sphinx Windows er, 10, Firewall Control


  • Please log in to reply
4 replies to this topic

#1
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,988 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Thanks to the recommendation of xpclient I've bought a firewall management product for use on my Win 8.1 system et. al. called:

 

Sphinx Windows 10 Firewall Control

 

Yes, it works with Win 8.1.  It has Win 10 in the name because I guess they feel the need for it to sound current.  I think it was originally called Windows Vista Firewall Control. 

 

It's effective.  Here's a review.

 

Background

 

A few weeks ago I decided I'd take more control of my system security. 

 

Over the years I had already made many system changes to enhance privacy and maximize security.  These involved:

  • Deconfiguring all "participate in Customer Experience Improvement Program" settings.
     
  • Using only a local account.
      
  • De-installing software (e.g. OneDrive, Windows Store stuff, etc.), disabling services that intrude, disabling scheduled jobs that send data into Microsoft.
     
  • Not running any Metro/Modern Apps.  I simply don't need 'em.
     
  • Adding tens of thousands of lines to my "hosts" file to locally resolve server names known for providing badware and for snooping to 0.0.0.0 (i.e., to have network accesses to them by name fail).
     
  • De-configuring Internet Explorer's ability to run ActiveX and let scripts run wild.
     
  • De-configuring Windows Update from doing anything without my initiating it.

 

My goals are fairly simple

 

Allow anything initiated by me that I know needs to communicate online, while minimizing the risk of extra privacy-invading communications, and completely eliminating spurious communications not initiated by me.

 

I wasn't sure it was possible.  Would (my legitimately licensed) Windows 8.1 deactivate itself if it can't regularly contact the mothership?  Would Windows Update stop working?  Would the level of communications be so high that I would never be able to ferret-out what needs to be allowed and what needs to be blocked?

 

I'm here to say that the Sphinx software does allow enough control and management capability to accomplish these goals.  It does seem possible to shut the system the hell up and have it do only what *I* want!

 

 

Recent History

 

Unfortunately, looking over the amount network traffic my system was generating, I found it was still way too chatty.  Not like what we're hearing about Windows 10, mind you, but still WAY too promiscuous online.  Even Task Manager tallied up megabytes of data traffic overnight when I wasn't doing anything.  The dreaded telemetry?  Sending of my personal data to Microsoft to "help them make Windows better"?

 

I decided to see if it was possible to institute a "deny by default" outgoing firewall strategy that was 1) doable and 2) manageable long-term.

 

In another thread recently I outlined my initial attempts at this, which were somewhat successful but lacked the reporting and organizational capacity for me to be able to manage the process in an ongoing way.

 

Enter Sphinx.   Again, thanks to xpclient for the recommendation.

 

SphinxSettings.png

 

I started by evaluating the base edition in a VM.  Basically, download, install, and wonder what to do next - the standard stuff.

 

After a little while, looking over the package and reading the manual, the realization began to dawn how this firewall manager views the world: 

 

1.  It denies all communications by default.

 

2.  It defines Zones - basically groups of rules that accomplish something, such as "allow typical web browsing" or "allow LAN-only communications".

 

3.  It facilitates your defininition and management of a list of Programs.  Basically, an entry in this list says "let Program xxxxxxxx do what's in the Zone that's assigned to it". 

 

4.  It does NOT attempt to control anything you've already set up in the Windows Advanced Firewall.  It works completely separately, even though it uses the underlying security engine provided by Windows.

 

As an example, you might set up Internet Explorer to be in the WebBrowser zone, then make sure the WebBrowser zone allows only the communications you want web browsers to be able to do.

 

By crafty creation of Zones (and/or modification of the Zones provided, which are pretty good), one can build up a set of rules that allows what you define to be essential communications and nothing else.  The base version provides a few pre-defined Zones.  It turns out the more expensive editions have more (and more detailed) pre-defined zones.

 

SphinxZonesList.png

 

The program pops up a notification if it spots a Program it doesn't already have an entry trying to communicate online.  THAT access was denied, but using the pop-up you can define a new Program entry, so you can allow the next one - if you want to.

 

SphinxPopup.png

 

Thus you can build up the list of Programs that try to do network access by doing the things you normally do, then make informed decisions about whether to allow them to communicate online.

 

The program also provides, besides the above pop-ups, a small one or two line status pop-up in the corner of the monitor that shows what's just happened, and an Events page where you can see a list of all networking activities attempted (blocked or allowed).  It's possible to get a pretty good feel for what's happening with this software.

 

Over time, just by using the system it becomes possible to build a list of just what you want to allow, and to either continue to log messages on the screen and in the Event log or hide the messages entirely from either place.

 

SphinxProgramsList.png

 

You can, for example, once you're confident in your WebBrowserZone settings, just hide the activity of your web browser from the Events tab and from popping up.  That way you can more easily concentrate on what's left.

 

SphinxEventsList.png

 

I reduced the rule set in the Windows Advanced Firewall to nothing.  Only the Sphinx setup now governs my entire system.

 

Which edition

 

As I mentioned above, Initially I installed the base version.  However, after evaluating that variant in a VM and seeing what I could do with it, I chose to buy the "Plus" edition, and with that achieved a pretty good configuration in which very little was getting out.

 

But I craved more control and asked the author (on their forum) whether it's possible to get more granularity (e.g., WHICH service is trying to communicate?).  They noted that their "Network/Cloud" edition gives more control and allowed me to upgrade the license for an incremental price.

 

Since the Network/Cloud edition allows you to set up firewalls on your main system and 3 additional "slave" systems, I've decided to set up my whole stable of systems and VMs with this software.  At this point I've found a minor glitch with the control setup (adding "Agents") and they're working on a bugfix.

 

-Noel


Edited by NoelC, Today, 04:46 PM.



How to remove advertisement from MSFN

#2
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,075 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

I understand you're using the MVPs hosts file as the starting point to build uour customized version, right?

Would you consider sharing the file to prepend their hosts file so as to replicate your curren one, Noel?

I'd like to test it on XP SP3 and on 7 SP1...



#3
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,988 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Sure, here you go (the whole thing).  There are probably a few duplicates; I don't try to rid it of them, since that would make merging new data from various sources harder.

 

http://Noel.ProDigit...Win81/hosts.zip

 

Note that the September MVPS hosts file hasn't yet been released, but should be in a few days.

 

-Noel


  • dencorso likes this

#4
xpclient

xpclient

    XP was my idea. 3rd party apps make the garbage after it my idea

  • Member
  • PipPipPip
  • 367 posts
  • Joined 30-July 05
  • OS:XP Pro x64
  • Country: Country Flag

Thanks. I see that the UI has got quite complex with lots of options (l love options! :w00t:  ) compared to the older and freeware version I use.


Impossible to run the garbage Windows OSes after XP without third party fixes.


#5
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,988 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

A lot of those came in with the high-end version.  And yes, I see justification in having every one of them.

 

I don't know whether the configuration from one variant of the software can be loaded into another variant - and I understand that one person's choices don't always reflect another's needs - but I'm willing to go into specifics and share my approach and settings if there's interest.

 

-Noel






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users