Thanks to the recommendation of xpclient I've bought a firewall management product for use on my Win 8.1 system et. al. called:
Sphinx Windows 10 Firewall Control
Yes, it works with Win 8.1. It has Win 10 in the name because I guess they feel the need for it to sound current. I think it was originally called Windows Vista Firewall Control.
It's effective. Here's a review.
A few weeks ago I decided I'd take more control of my system security.
Over the years I had already made many system changes to enhance privacy and maximize security. These involved:
- Deconfiguring all "participate in Customer Experience Improvement Program" settings.
- Using only a local account.
- De-installing software (e.g. OneDrive, Windows Store stuff, etc.), disabling services that intrude, disabling scheduled jobs that send data into Microsoft.
- Not running any Metro/Modern Apps. I simply don't need 'em.
- Adding tens of thousands of lines to my "hosts" file to locally resolve server names known for providing badware and for snooping to 0.0.0.0 (i.e., to have network accesses to them by name fail).
- De-configuring Internet Explorer's ability to run ActiveX and let scripts run wild.
- De-configuring Windows Update from doing anything without my initiating it.
My goals are fairly simple
Allow anything initiated by me that I know needs to communicate online, while minimizing the risk of extra privacy-invading communications, and completely eliminating spurious communications not initiated by me.
I wasn't sure it was possible. Would (my legitimately licensed) Windows 8.1 deactivate itself if it can't regularly contact the mothership? Would Windows Update stop working? Would the level of communications be so high that I would never be able to ferret-out what needs to be allowed and what needs to be blocked?
I'm here to say that the Sphinx software does allow enough control and management capability to accomplish these goals. It does seem possible to shut the system the hell up and have it do only what *I* want!
Unfortunately, looking over the amount network traffic my system was generating, I found it was still way too chatty. Not like what we're hearing about Windows 10, mind you, but still WAY too promiscuous online. Even Task Manager tallied up megabytes of data traffic overnight when I wasn't doing anything. The dreaded telemetry? Sending of my personal data to Microsoft to "help them make Windows better"?
I decided to see if it was possible to institute a "deny by default" outgoing firewall strategy that was 1) doable and 2) manageable long-term.
In another thread recently I outlined my initial attempts at this, which were somewhat successful but lacked the reporting and organizational capacity for me to be able to manage the process in an ongoing way.
Enter Sphinx. Again, thanks to xpclient for the recommendation.
I started by evaluating the base edition in a VM. Basically, download, install, and wonder what to do next - the standard stuff.
After a little while, looking over the package and reading the manual, the realization began to dawn how this firewall manager views the world:
1. It denies all communications by default.
2. It defines Zones - basically groups of rules that accomplish something, such as "allow typical web browsing" or "allow LAN-only communications".
3. It facilitates your defininition and management of a list of Programs. Basically, an entry in this list says "let Program xxxxxxxx do what's in the Zone that's assigned to it".
4. It does NOT attempt to control anything you've already set up in the Windows Advanced Firewall. It works completely separately, even though it uses the underlying security engine provided by Windows.
As an example, you might set up Internet Explorer to be in the WebBrowser zone, then make sure the WebBrowser zone allows only the communications you want web browsers to be able to do.
By crafty creation of Zones (and/or modification of the Zones provided, which are pretty good), one can build up a set of rules that allows what you define to be essential communications and nothing else. The base version provides a few pre-defined Zones. It turns out the more expensive editions have more (and more detailed) pre-defined zones.
The program pops up a notification if it spots a Program it doesn't already have an entry trying to communicate online. THAT access was denied, but using the pop-up you can define a new Program entry, so you can allow the next one - if you want to.
Thus you can build up the list of Programs that try to do network access by doing the things you normally do, then make informed decisions about whether to allow them to communicate online.
The program also provides, besides the above pop-ups, a small one or two line status pop-up in the corner of the monitor that shows what's just happened, and an Events page where you can see a list of all networking activities attempted (blocked or allowed). It's possible to get a pretty good feel for what's happening with this software.
Over time, just by using the system it becomes possible to build a list of just what you want to allow, and to either continue to log messages on the screen and in the Event log or hide the messages entirely from either place.
You can, for example, once you're confident in your WebBrowserZone settings, just hide the activity of your web browser from the Events tab and from popping up. That way you can more easily concentrate on what's left.
I reduced the rule set in the Windows Advanced Firewall to nothing. Only the Sphinx setup now governs my entire system.
As I mentioned above, Initially I installed the base version. However, after evaluating that variant in a VM and seeing what I could do with it, I chose to buy the "Plus" edition, and with that achieved a pretty good configuration in which very little was getting out.
But I craved more control and asked the author (on their forum) whether it's possible to get more granularity (e.g., WHICH service is trying to communicate?). They noted that their "Network/Cloud" edition gives more control and allowed me to upgrade the license for an incremental price.
Since the Network/Cloud edition allows you to set up firewalls on your main system and 3 additional "slave" systems, I've decided to set up my whole stable of systems and VMs with this software. At this point I've found a minor glitch with the control setup (adding "Agents") and they're working on a bugfix.
Edited by NoelC, Today, 04:46 PM.