Most of the time we want our applications online and
connected to both our local network and the greater Internet. There are
instances, however, when we want to prevent an application from
connecting to the Internet. Read on as i show you how to lock down an
application via the Windows Firewall.
Why Do I Want To Do This?
Some of you might have been sold immediately by the headline, as
blocking an application is exactly what you’ve been wanting to do.
Others may have opened this article curious as to why one would block
an application in the first place.
Although you generally want your applications to have free access to
the network (after all what good is a web browser that can’t reach the
web) there are a variety of situations in which you may wish to prevent
an application from accessing the network.
Some simple and commonplace examples are as follows. You might have
an application that insists on automatically updating itself (but those
updates break some functionality and you wish to stop the updates). You
might have a video game that you’re comfortable with your child playing,
but you’re not so comfortable with the online (and unsupervised)
multiplayer elements. You might be using an application with really
obnoxious ads that can be silenced by cutting off the application’s
Internet access.
Regardless of why you want to drop the cone of network connectivity
silence over a given application, a trip into the guts of the Windows
Firewall is an easy way to do so. Let’s take a look at how to block an
application from accessing the local network and Internet now.
Creating a Windows Firewall Rule
Although we’ll be demonstrating this trick on Windows 10, the basic
layout and premise has remained largely unchanged over the years and you
can easily adapt this tutorial to earlier versions of Windows.
To create a Window Firewall rule, you first need to open up the
advanced Firewall interface. To do so navigate to the Control Panel and
select Windows Firewall to bring up the basic Firewall interface like
so.
There you click on “Advanced settings” to access the advanced
Firewall interface (alternatively, you can search for “firewall” with
the Start Menu search and select “Firewall with Advanced Security” to
jump right to the menu).
There is a lot going on in the advanced Firewall interface
and we’d encourage you follow along closely, leaving anything outside
the scope of the tutorial and your experience level alone; mucking up
your firewall rules is a surefire way to a big headache.
In the far left navigation pane, select “Outbound Rules”. This will
pull up all the existing outbound firewall rules (don’t be surprised
that it is already populated with dozens and dozens of Windows-generated
entries).
In the far right navigation pane select “New Rule…” to create a new rule for outbound traffic.
By default the rule type selection should be “Program”, but confirm that it is before clicking “Next”.
Here you will insert the path to the program you wish to block. For
the purposes of this tutorial we’re going to block a portable copy of
the Maxthon web browser as it will be easy to demonstrate to you that
the browser is blocked. Click the “Browse” button and browse to the
application on your computer.
Now, and please listen closely here to save yourself an enormous
amount of frustration, there’s an important change you need to make.
Trust us on this. If you skip this step you’ll be beyond frustrated.
When you use the “Browse” command and select the EXE file, Windows
defaults to using what are known as environmental variables if the
particular path includes a given path portion represented by one of
those variables (e.g. instead of inserting C:\Users\Steve\ it will swap
it for the environmental variable %USERPROFILE%). For some reason,
despite the fact that this is the default way it populated the program
path field it will break the firewall rule. If the file you
have browsed to is anywhere that uses an environmental variable (like
the /User/ path or the /Program Files/ path) you have to manually edit
the program path entry to remove the variable and replace it with the
correct and full file path. In case that’s a tad confusing let us
illustrate with our example program from above.
By default Windows plugged in the following program path information
when we browsed for the file, which was located in our Documents folder:
%USERPROFILE%\Documents\MaxthonPortable\App\Maxthon\Bin\Maxthon.exe
That file path is understood by Windows but for some reason when
inserted into the firewall application it is no longer recognized and
the firewall rule fails. Instead we need to replace the file path that
includes the environmental variable with the full file path. In our case
it looks like this:
C:\Users\Jason\Documents\MaxthonPortable\App\Maxthon\Bin\Maxthon.exe
It’s possible this is some quirk isolated to the Windows 10 firewall
and you can use environmental variables in Windows 7 or the like without
issue, but we’d encourage you to just remove the variable and use the
full and absolute file path to save yourself a headache today and down
the road.
Finally, there’s one small but important thing to keep in mind here.
For most applications the main .EXE file is the one you want to block,
but there are examples of applications where things are a wee bit
counter-intuitive. Take Minecraft, for example. At first glance it seems
like you should block Minecraft.exe but Minecraft.exe is actually just
the launcher file and the actual network connectivity happens through
Java; if you want to restrict your child from connecting to online
Minecraft servers you need to block Javaw.exe and not Minecraft.exe.
That’s atypical, most applications can be blocked by simply blocking the
main executable, but it’s worth noting.
Once you’ve selected your application and confirmed the path, click “Next”.
On the next screen confirm that “Block the connection” is selected. Click “Next”.
On the next page you’ll be asked to select when the rule applies (by
default all three items are checked). It’s important to note that this
option determines when the rule is in effect and not what
the rule effects. For example, if you check “Public” but not “Private”
that doesn’t mean the application can access resources on the local
network but not on the public Internet. The options here are for
determining whether or not the rule is applies based on whether or not
the computer is connected to what you’ve defined as a public or private
network.
So, for example, if you have a laptop that you use at home (a network
you’ve defined as private) and at a coffee shop (a network you’ve
defined as public) and you want the rule to apply to both places you
need to check both options. If you want the rule to only apply when
you’re at the public Wi-Fi spot at the coffee shop, then just check
Public. When in doubt just check them all to block the application
across all networks. When you’ve made your selection click “Next”.
The final step is to name your rule. Give it a clear name you’ll
understand/recognize later on; there are a lot of cryptic entries in the
Firewall system created automatically by Windows and in response to
certain applications; you want your entry to have a clean and easy to
understand name you can find later. We named ours, simply, “Maxathon
Block” to indicate which application we’re blocking. If you wish you can
add a description (perhaps a reminder of why you created the block in
the first place, lest you forget years down the road). When you’ve
filled the appropriate information in, click “Finish”.
You’ll now have an entry at the top of the “Outbound Rules” list for
your new rule. If your goal was blanket blocking you’re all done. If you
want to tweak and refine the rule you can double click on the entry and
make adjustments like adding local exceptions (e.g. the application
can’t access the Internet but it can connect so another PC on your
network so you can use a network resource or the like).
At this point we’ve achieved the goal outlined in the title of this
article: all outbound communication from the application in question is
now cut off. If you want to further tighten the grip you have on the
application you can select the “Inbound Rules” option in right hand
navigation panel of the “Windows Firewall with Advanced Security” and
repeat the process, step for step, recreating an identical firewall rule
that governs inbound traffic for that application too.
Testing the Rule
Now that the rule is active it’s time to fire up the application in
question and test it. Remember our test application was the Maxthon web
browser. Practically speaking it’s not very useful to totally block your
web browser from accessing the Internet as accessing the Internet is
the whole point of a web browser, but it serves as a useful example
application because we can immediately and clearly demonstrate that the
firewall rule is in effect.
After loading the browser and pointing it at http://www.howtogeek.com
we see immediately that the firewall rule is in effect: we cannot
connect to our own site or any other website as the firewall is denying
the application access. Ironically the error message in the web browser
encourages us to check our firewall settings.
That’s all there is to it! A few minutes poking around in the
firewall, another minute checking your file path and confirming your
settings, and your application is locked down tight never to access the
Internet again.
Article by: Jason Fitzpatrick
No comments:
Post a Comment