Thursday, August 27, 2015

How to Block An Application from Accessing the Internet with Windows Firewall

Most of the time we want our applications online and connected to both our local network and the greater Internet. There are instances, however, when we want to prevent an application from connecting to the Internet. Read on as i show you how to lock down an application via the Windows Firewall.

Why Do I Want To Do This?

Some of you might have been sold immediately by the headline, as blocking an application is exactly what you’ve been wanting to do. Others may have opened this article curious as to why one would block an application in the first place.
Although you generally want your applications to have free access to the network (after all what good is a web browser that can’t reach the web) there are a variety of situations in which you may wish to prevent an application from accessing the network.
Some simple and commonplace examples are as follows. You might have an application that insists on automatically updating itself (but those updates break some functionality and you wish to stop the updates). You might have a video game that you’re comfortable with your child playing, but you’re not so comfortable with the online (and unsupervised) multiplayer elements. You might be using an application with really obnoxious ads that can be silenced by cutting off the application’s Internet access.
Regardless of why you want to drop the cone of network connectivity silence over a given application, a trip into the guts of the Windows Firewall is an easy way to do so. Let’s take a look at how to block an application from accessing the local network and Internet now.

Creating a Windows Firewall Rule

Although we’ll be demonstrating this trick on Windows 10, the basic layout and premise has remained largely unchanged over the years and you can easily adapt this tutorial to earlier versions of Windows.
To create a Window Firewall rule, you first need to open up the advanced Firewall interface. To do so navigate to the Control Panel and select Windows Firewall to bring up the basic Firewall interface like so.
There you click on “Advanced settings” to access the advanced Firewall interface (alternatively, you can search for “firewall” with the Start Menu search and select “Firewall with Advanced Security” to jump right to the menu).
There is a lot going on in the advanced Firewall interface and we’d encourage you follow along closely, leaving anything outside the scope of the tutorial and your experience level alone; mucking up your firewall rules is a surefire way to a big headache.
In the far left navigation pane, select “Outbound Rules”. This will pull up all the existing outbound firewall rules (don’t be surprised that it is already populated with dozens and dozens of Windows-generated entries).
In the far right navigation pane select “New Rule…” to create a new rule for outbound traffic.
By default the rule type selection should be “Program”, but confirm that it is before clicking “Next”.
Here you will insert the path to the program you wish to block. For the purposes of this tutorial we’re going to block a portable copy of the Maxthon web browser as it will be easy to demonstrate to you that the browser is blocked. Click the “Browse” button and browse to the application on your computer.
Now, and please listen closely here to save yourself an enormous amount of frustration, there’s an important change you need to make. Trust us on this. If you skip this step you’ll be beyond frustrated.
When you use the “Browse” command and select the EXE file, Windows defaults to using what are known as environmental variables if the particular path includes a given path portion represented by one of those variables (e.g. instead of inserting C:\Users\Steve\ it will swap it for the environmental variable %USERPROFILE%). For some reason, despite the fact that this is the default way it populated the program path field it will break the firewall rule. If the file you have browsed to is anywhere that uses an environmental variable (like the /User/ path or the /Program Files/ path) you have to manually edit the program path entry to remove the variable and replace it with the correct and full file path. In case that’s a tad confusing let us illustrate with our example program from above.
By default Windows plugged in the following program path information when we browsed for the file, which was located in our Documents folder:
That file path is understood by Windows but for some reason when inserted into the firewall application it is no longer recognized and the firewall rule fails. Instead we need to replace the file path that includes the environmental variable with the full file path. In our case it looks like this:
It’s possible this is some quirk isolated to the Windows 10 firewall and you can use environmental variables in Windows 7 or the like without issue, but we’d encourage you to just remove the variable and use the full and absolute file path to save yourself a headache today and down the road.
Finally, there’s one small but important thing to keep in mind here. For most applications the main .EXE file is the one you want to block, but there are examples of applications where things are a wee bit counter-intuitive. Take Minecraft, for example. At first glance it seems like you should block Minecraft.exe but Minecraft.exe is actually  just the launcher file and the actual network connectivity happens through Java; if you want to restrict your child from connecting to online Minecraft servers you need to block Javaw.exe and not Minecraft.exe. That’s atypical, most applications can be blocked by simply blocking the main executable, but it’s worth noting.
Once you’ve selected your application and confirmed the path, click “Next”.
On the next screen confirm that “Block the connection” is selected. Click “Next”.
On the next page you’ll be asked to select when the rule applies (by default all three items are checked). It’s important to note that this option determines when the rule is in effect and not what the rule effects. For example, if you check “Public” but not “Private” that doesn’t mean the application can access resources on the local network but not on the public Internet. The options here are for determining whether or not the rule is applies based on whether or not the computer is connected to what you’ve defined as a public or private network.
So, for example, if you have a laptop that you use at home (a network you’ve defined as private) and at a coffee shop (a network you’ve defined as public) and you want the rule to apply to both places you need to check both options. If you want the rule to only apply when you’re at the public Wi-Fi spot at the coffee shop, then just check Public. When in doubt just check them all to block the application across all networks. When you’ve made your selection click “Next”.
The final step is to name your rule. Give it a clear name you’ll understand/recognize later on; there are a lot of cryptic entries in the Firewall system created automatically by Windows and in response to certain applications; you want your entry to have a clean and easy to understand name you can find later. We named ours, simply, “Maxathon Block” to indicate which application we’re blocking. If you wish you can add a description (perhaps a reminder of why you created the block in the first place, lest you forget years down the road). When you’ve filled the appropriate information in, click “Finish”.
You’ll now have an entry at the top of the “Outbound Rules” list for your new rule. If your goal was blanket blocking you’re all done. If you want to tweak and refine the rule you can double click on the entry and make adjustments like adding local exceptions (e.g. the application can’t access the Internet but it can connect so another PC on your network so you can use a network resource or the like).
At this point we’ve achieved the goal outlined in the title of this article: all outbound communication from the application in question is now cut off. If you want to further tighten the grip you have on the application you can select the “Inbound Rules” option in right hand navigation panel of the “Windows Firewall with Advanced Security” and repeat the process, step for step, recreating an identical firewall rule that governs inbound traffic for that application too.

Testing the Rule

Now that the rule is active it’s time to fire up the application in question and test it. Remember our test application was the Maxthon web browser. Practically speaking it’s not very useful to totally block your web browser from accessing the Internet as accessing the Internet is the whole point of a web browser, but it serves as a useful example application because we can immediately and clearly demonstrate that the firewall rule is in effect.
After loading the browser and pointing it at we see immediately that the firewall rule is in effect: we cannot connect to our own site or any other website as the firewall is denying the application access. Ironically the error message in the web browser encourages us to check our firewall settings.

That’s all there is to it! A few minutes poking around in the firewall, another minute checking your file path and confirming your settings, and your application is locked down tight never to access the Internet again.

Article by: Jason Fitzpatrick

No comments: