How to prevent Firefox and Chrome from opening ports in the firewall?How Do I Troubleshoot a Browser Hijack on a Mac?Is Firefox on Ubuntu less secured (does it not confine Flash)?Why do Firefox and Chrome “leak” critical security information out of the browser and how can I stop it?Is Windows 10 [Password protection on wakeup] set to 'Required' relevant when machine is asleep?Is QUIC (Quick UDP Internet Connections) safe to allow through firewall?Secure touch kiosk system without updates?Does Mozilla's Firefox browser repeatedly connect to Google Analytics servers?Google Chrome and Certificate ProblemPrevent Chrome extensions from betraying meHow to prevent Windows Update from suspending BitLocker encrytion?

Why do passenger jet manufacturers design their planes with stall prevention systems?

How could a scammer know the apps on my phone / iTunes account?

Unexpected result from ArcLength

Welcoming 2019 Pi day: How to draw the letter π?

Gravity magic - How does it work?

Life insurance that covers only simultaneous/dual deaths

Why does Bach not break the rules here?

Do I need life insurance if I can cover my own funeral costs?

Can I use USB data pins as power source

How to read the value of this capacitor?

If curse and magic is two sides of the same coin, why the former is forbidden?

How do I hide Chekhov's Gun?

How to deal with taxi scam when on vacation?

Use void Apex method in Lightning Web Component

Does Mathematica reuse previous computations?

What's causing this power spike in STM32 low power mode

Could the Saturn V actually have launched astronauts around Venus?

What is this large pipe coming out of my roof?

My Graph Theory Students

What are substitutions for coconut in curry?

Happy pi day, everyone!

newcommand: Combine (optional) star and optional parameter

What should tie a collection of short-stories together?

Is it possible to upcast ritual spells?



How to prevent Firefox and Chrome from opening ports in the firewall?


How Do I Troubleshoot a Browser Hijack on a Mac?Is Firefox on Ubuntu less secured (does it not confine Flash)?Why do Firefox and Chrome “leak” critical security information out of the browser and how can I stop it?Is Windows 10 [Password protection on wakeup] set to 'Required' relevant when machine is asleep?Is QUIC (Quick UDP Internet Connections) safe to allow through firewall?Secure touch kiosk system without updates?Does Mozilla's Firefox browser repeatedly connect to Google Analytics servers?Google Chrome and Certificate ProblemPrevent Chrome extensions from betraying meHow to prevent Windows Update from suspending BitLocker encrytion?













8















I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).



Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:



I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.



I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.



I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.



Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?



I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.



Steps to reproduce:



  • Install Firefox


  • Install Chrome


  • Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")


  • On the left, select "Inbound rules"


  • A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"


  • When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed


  • Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.


  • Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.


  • Delete the three rules mentioned above


  • Wait until a Firefox update is available and install it


  • Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing


  • Wait until a Chrome update is available and install it


  • Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing


Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.



Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.






chrome firefox windows-10 windows-7







share|improve this question



















  • 1





    All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?

    – Steffen Ullrich
    14 hours ago












  • Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.

    – Binarus
    13 hours ago












  • @SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).

    – Binarus
    13 hours ago







  • 1





    Related post on Super user

    – Sefa
    12 hours ago











  • Thanks for the link - I didn't see that before. Same issue, and no solution ...

    – Binarus
    8 hours ago















8















I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).



Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:



I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.



I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.



I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.



Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?



I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.



Steps to reproduce:



  • Install Firefox


  • Install Chrome


  • Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")


  • On the left, select "Inbound rules"


  • A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"


  • When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed


  • Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.


  • Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.


  • Delete the three rules mentioned above


  • Wait until a Firefox update is available and install it


  • Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing


  • Wait until a Chrome update is available and install it


  • Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing


Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.



Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.






chrome firefox windows-10 windows-7







share|improve this question



















  • 1





    All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?

    – Steffen Ullrich
    14 hours ago












  • Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.

    – Binarus
    13 hours ago












  • @SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).

    – Binarus
    13 hours ago







  • 1





    Related post on Super user

    – Sefa
    12 hours ago











  • Thanks for the link - I didn't see that before. Same issue, and no solution ...

    – Binarus
    8 hours ago













8












8








8


2






I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).



Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:



I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.



I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.



I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.



Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?



I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.



Steps to reproduce:



  • Install Firefox


  • Install Chrome


  • Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")


  • On the left, select "Inbound rules"


  • A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"


  • When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed


  • Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.


  • Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.


  • Delete the three rules mentioned above


  • Wait until a Firefox update is available and install it


  • Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing


  • Wait until a Chrome update is available and install it


  • Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing


Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.



Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.






chrome firefox windows-10 windows-7







share|improve this question
















I have noticed that Firefox and Chrome have opened ports for unsolicited inbound traffic in the Windows firewall. This happened with Windows 7 x64 and Windows 10. (Here, I am talking about the standard firewall integrated in recent Windows versions, not some third-party product).



Normally, when a program tries to change the firewall configuration, I get a notification (dialog box) on the desktop asking me if I would like to allow that action. But with Firefox and Chrome, things are different:



I regularly delete all rules for Firefox and Chrome from the firewall configuration. However, each time those browsers update themselves (which is quite often), they re-create those rules without the usual confirmation dialog appearing.



I do not understand how this is possible. I currently suspect that the rules are recreated not by Firefox or Chrome themselves, but by their maintenance (update) services which are running in the background, probably with administrative rights.



I do not want Firefox to add rules to my firewall to let unsolicited inbound traffic pass to itself to any port from any address for TCP and UDP. Likewise, I do not want Chrome to add rules to my firewall which let unsolicited inbound UDP traffic pass to itself to a certain port, but also from any address. I am considering that a big security breach given the many security vulnerabilities of the browsers.



Hence the question: How do I prevent Firefox and Chrome and their maintenance / update services from silently adding rules to the Windows firewall?



I have seen that I could control the firewall by group policies, but this seems kind of extreme to me when the only reason would be the problem described above. My clients are not part of a domain, so I would have to do this on each of them. Furthermore, I am not sure if the browsers and their maintenance / update services are able to circumvent the group policies as well.



Steps to reproduce:



  • Install Firefox


  • Install Chrome


  • Open the GUI for the Windows firewall management ("Windows Firewall with advanced security")


  • On the left, select "Inbound rules"


  • A list of rules appears on the right; notice two rules whose name begins with "Firefox" and one rule whose name begins with "Chrome"


  • When you double-click one of the rules, a dialog box appears where the rule's properties, the ports being opened, the program which is allowed to receive that traffic and so on are detailed


  • Note that the two rules for Firefox are nearly identical; the only difference is that one is for TCP, the other for UDP. Both allow unsolicited inbound traffic from any address to any port to Firefox.


  • Note that the rule for Chrome lets pass UPD traffic from any address to port 5353 to Chrome.


  • Delete the three rules mentioned above


  • Wait until a Firefox update is available and install it


  • Note that the two rules for Firefox are re-created when installing the update without any confirmation dialog appearing


  • Wait until a Chrome update is available and install it


  • Note that the rule for Chrome is re-created when installing the update without any confirmation dialog appearing


Hint: When testing, please be aware that you might need to right-click on "Inbound Rules" at the left and select "Refresh" from the context menu to actually see the newest updates to the rules which might have been done in the background by services or applications.



Hint 2: In fact, if you want to test this, you don't need to wait for the next Firefox or Chrome update. Just install an old version of the browsers and make sure that the firewall rules mentioned above have been created, then delete those rules. Because you have installed old versions, updates will be available immediately. Install the updates and note that the firewall rules have been silently re-created.






chrome firefox windows-10 windows-7




chrome firefox windows-10 windows-7






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 13 hours ago









SeeYouInDisneyland

1,076519




1,076519










asked 14 hours ago









BinarusBinarus

238211




238211







  • 1





    All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?

    – Steffen Ullrich
    14 hours ago












  • Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.

    – Binarus
    13 hours ago












  • @SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).

    – Binarus
    13 hours ago







  • 1





    Related post on Super user

    – Sefa
    12 hours ago











  • Thanks for the link - I didn't see that before. Same issue, and no solution ...

    – Binarus
    8 hours ago












  • 1





    All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?

    – Steffen Ullrich
    14 hours ago












  • Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.

    – Binarus
    13 hours ago












  • @SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).

    – Binarus
    13 hours ago







  • 1





    Related post on Super user

    – Sefa
    12 hours ago











  • Thanks for the link - I didn't see that before. Same issue, and no solution ...

    – Binarus
    8 hours ago







1




1





All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?

– Steffen Ullrich
14 hours ago






All what I read here are just claims, which might be true or might be caused by some misunderstanding. Could you actually provide detailed information what ports are exactly opened in your opinion, i.e. show the relevant output from netstat or wherever you got this information from?

– Steffen Ullrich
14 hours ago














Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.

– Binarus
13 hours ago






Actually showing those rules is difficult because I've just deleted them before asking. However, the steps to reproduce are: Install Firefox; install Chrome; Open the management GUI for "Windows Firewall with advanced security"; select "Inbound Rules"; notice two rules whose name starts with "Firefox" and one rule named "Chrome (mDNS in)"; examine each rule by double-clicking it and cycling through the tabs of the dialog box that opens. I'll add this to my question.

– Binarus
13 hours ago














@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).

– Binarus
13 hours ago






@SteffenUllrich And further more, I am not interested if Firefox / Chrome actually listen somewhere, i.e. I am not interested in netstat or similar tools. I am interested in the firewall settings which don't have anything to do with that. After all, Firefox and Chrome could listen on some ports, but that wouldn't be harmful if the firewall would block them; or they may not listen on that ports, but might change the firewall configuration. I am exclusively interested in how to prevent them from changing the firewall rules (whether or not they are actually listening).

– Binarus
13 hours ago





1




1





Related post on Super user

– Sefa
12 hours ago





Related post on Super user

– Sefa
12 hours ago













Thanks for the link - I didn't see that before. Same issue, and no solution ...

– Binarus
8 hours ago





Thanks for the link - I didn't see that before. Same issue, and no solution ...

– Binarus
8 hours ago










2 Answers
2






active

oldest

votes


















8














One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".



The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).



The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.



The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.



A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.



You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).






share|improve this answer




















  • 2





    Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in services.msc, at least on my clients.

    – Binarus
    8 hours ago












  • Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).

    – CBHacking
    42 mins ago


















4














You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.



I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:



  • group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security

  • automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade

  • use a dedicated firewall (a dedicated machine) and implement the firewall rules there.

  • maybe others I could not imagine...

Which one will be the more relevant will heavily depend on the real use case...



The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.



I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...






share|improve this answer























  • Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...

    – Binarus
    8 hours ago











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205416%2fhow-to-prevent-firefox-and-chrome-from-opening-ports-in-the-firewall%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









8














One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".



The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).



The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.



The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.



A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.



You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).






share|improve this answer




















  • 2





    Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in services.msc, at least on my clients.

    – Binarus
    8 hours ago












  • Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).

    – CBHacking
    42 mins ago















8














One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".



The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).



The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.



The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.



A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.



You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).






share|improve this answer




















  • 2





    Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in services.msc, at least on my clients.

    – Binarus
    8 hours ago












  • Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).

    – CBHacking
    42 mins ago













8












8








8







One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".



The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).



The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.



The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.



A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.



You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).






share|improve this answer















One option would be to use Windows access controls to prevent changes to the firewall rules. If you first set the rule to Disabled (or simply deleted it), and then changed the ACLs on the firewall rule storage, it should be possible to avoid the rules re-appearing. While any administrator account could overwrite or bypass your modified ACL, it is highly unlikely that an automated installer would endeavor to do so, and consequently the attempts to change the firewall would simply get "Access Denied".



The good news is that the firewall rules are stored in a predictable location, HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules. They are even entirely human-readable, aside from their names, which are GUIDs; the actual rules are pipe-delimited English text (I am now curious what happens if I make a firewall rule with a pipe character in its description).



The bad news is that the rules are stored as values on a single key (the one given above), and registry ACLs are only available at the granularity of keys. This means that if you deny an account write access to that key, you deny that account the ability to change any firewall rule. This could impair functionality in a number of ways; in the extreme, you would need to manually change the ACL on that key before making any firewall rule changes yourself.



The ideal way to do it would be to use a Deny access control entry for the account that you want to block. Deny entries take precedence over Allow entries for a given specificity level (if an account is both allowed and denied an action, deny wins), and specific (account) similarly wins out over generic (Group). Thus, you can add a Deny entry for a specific account to block that account, without also doing something awkward like blocking the entire Administrators group. Unfortunately, all four Mozilla- or Google-related services installed on my machine (MozillaMaintenance, GoogleChromeElevationService, gupdate, and gupdatem) are configured to run as LocalSystem (a.k.a. SYSTEM). Blocking SYSTEM write access to that key might not be disastrous - in fact, blocking SYSTEM from writing to select registry keys is a common way to keep an admin from making specific changes to a machine via Group Policy - but it would probably break some things. If you end up needing to block actions which are elevated via normal UAC you would need to block either yourself or the Administrators group, and that's even more awkward than blocking SYSTEM.



A solution would be to create a new admin-level service account on the machine, and then modify the Google & Mozilla services to use that account and block that specific account at the registry key. This is not trivial - especially if the services rely on any of the special permissions of being SYSTEM, which by default even the Administrator account does not get all of (though this can, of course, be changed) - but it could be done.



You could also try removing the browsers (and any associated services, manually if needed) and re-installing them using unprivileged installers. This would limit their installer blast radius to your local account, and give them no way to elevate unprompted. Firefox supports portable installs, and Chrome actually used to by default install to your user profile (not your Program Files directory) using a per-user install, so in theory it should be possible to install either one without giving the installer admin rights. Nothing without admin rights can create a way to get admin rights (without a UAC prompt or an EoP vulnerability), so they would not have the ability to silently mess with your firewall, and they would probably not even try (after all, a program installed without Admin can be updated without Admin, and a non-Admin can't change the firewall).







share|improve this answer














share|improve this answer



share|improve this answer








edited 44 mins ago

























answered 11 hours ago









CBHackingCBHacking

10.6k11627




10.6k11627







  • 2





    Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in services.msc, at least on my clients.

    – Binarus
    8 hours ago












  • Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).

    – CBHacking
    42 mins ago












  • 2





    Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in services.msc, at least on my clients.

    – Binarus
    8 hours ago












  • Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).

    – CBHacking
    42 mins ago







2




2





Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in services.msc, at least on my clients.

– Binarus
8 hours ago






Thanks - accepted and upvoted. The information about where the firewall rules are installed and your suggestion to deploy the deny-over-allow policy are awesome. In fact, I've already done something like that in the file system, but didn't know that the firewall rules are stored in the registry. I'll try to let the update services run under a different account and try to block that account from accessing that registry key. And -to give something back- the Firefox update service is called "Mozilla Maintenance Service" and is normally listed in services.msc, at least on my clients.

– Binarus
8 hours ago














Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).

– CBHacking
42 mins ago





Thanks @Binarus, I've edited that information into the answer. I forgot that the machine I was writing that on didn't actually have Firefox installed (Pale Moon doesn't use or install the MozillaMaintenance service).

– CBHacking
42 mins ago













4














You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.



I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:



  • group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security

  • automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade

  • use a dedicated firewall (a dedicated machine) and implement the firewall rules there.

  • maybe others I could not imagine...

Which one will be the more relevant will heavily depend on the real use case...



The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.



I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...






share|improve this answer























  • Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...

    – Binarus
    8 hours ago
















4














You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.



I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:



  • group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security

  • automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade

  • use a dedicated firewall (a dedicated machine) and implement the firewall rules there.

  • maybe others I could not imagine...

Which one will be the more relevant will heavily depend on the real use case...



The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.



I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...






share|improve this answer























  • Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...

    – Binarus
    8 hours ago














4












4








4







You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.



I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:



  • group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security

  • automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade

  • use a dedicated firewall (a dedicated machine) and implement the firewall rules there.

  • maybe others I could not imagine...

Which one will be the more relevant will heavily depend on the real use case...



The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.



I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...






share|improve this answer













You have reached one limit on computer security. Best practices ask to only allow elevated priviledges for so called trusted programs. But we all know that for common usage, we have to trust the OS and the browser(*). The problem that your are facing is that is one of this products does something that you do not like, little can be done: once you have allowed elevated priviledges, the system offers no additional protection.



I can hardly imagine a truely preventive strategy here because it is hard to guess what an installation procedure could do, and I know nobody that could say that they can detect and understand any change on a windows system. But when one problem has been identified,
workarounds are often possible. Here I can imagine:



  • group policies as you said. BTW, if you have many client machines, you should really considere using AD. You do not even need a AD server license for that because recent versions of SAMBA provide it. And AD can really add a lot when it comes to client machine security

  • automate the process of detecting/resetting the firewall rules. Once automated it will appear as an additional step of the browser upgrade

  • use a dedicated firewall (a dedicated machine) and implement the firewall rules there.

  • maybe others I could not imagine...

Which one will be the more relevant will heavily depend on the real use case...



The best way would be to ask the editors to stop silently opening firewall rules, but I am afraid that this request is unlikely to succeed: there are certainly good reasons for those rules. That is the reason why I only searched for workarounds.



I do not mean here that the browser will run with evelated proviledges, but every updgrade does requires them. And for security reason we cannot use outdated software...







share|improve this answer












share|improve this answer



share|improve this answer










answered 12 hours ago









Serge BallestaSerge Ballesta

17.5k32962




17.5k32962












  • Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...

    – Binarus
    8 hours ago


















  • Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...

    – Binarus
    8 hours ago

















Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...

– Binarus
8 hours ago






Thanks for your answer, upvoted. Of course, I already have a dedicated firewall in place which protects the network, but I'd like to use the Windows firewall additionally to protect each client against attacks from within the local network. The idea to automatically correct the firewall rules after each browser update is good; in fact, I already have considered this, but it would mean educating users (I can't see a way to place a hook into the auto-update routines of the browsers). Let's see if there are further suggestions ...

– Binarus
8 hours ago


















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205416%2fhow-to-prevent-firefox-and-chrome-from-opening-ports-in-the-firewall%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

acmart: Multiple authors: all with same affiliation, one author an additional affiliationHow to Write Names of Multiple Authors with Shared Affiliation in ACM 2017 Template?Multiple authors with different primary affiliation, but same additional affiliationSame affiliation for all authors without extra packagesIOS-Book-Article.cls: one author with multiple affiliationacmart: Shared Author AffiliationMultiple authors with different primary affiliation, but same additional affiliationAuthor affiliation with only 1 authorAdding Multiple Authors with Different Affiliation in LaTeX ArticleLaTeX: Multiple authors stays on same lineHow to Label Multiple Authors with Same DescriptionHow to make two authors use the same affiliationTwo authors with same affiliation on finished front page

Image
Check if two datetimes are between two others What happens when a metallic dragon and a chromatic dragon mate? Need help identifying/translating a plaque in Tangier, Morocco Piano - What is the notation for a double stop where both notes in the double stop are different lengths? What to wear for invited talk in Canada Pristine Bit Checking Lied on resume at previous job Does it makes sense to buy a new cycle to learn riding? Re-submission of rejected manuscript without informing co-authors Where to refill my bottle in India? How to answer pointed "are you quitting" questioning when I don't want them to suspect Is it wise to focus on putting odd beats on left when playing double bass drums? Copycat chess is back "My colleague's body is amazing" Why is the design of haulage companies so “special”? Information to fellow intern about hiring? How would photo IDs work for shapeshifters? Crop image to path created in TikZ? Does a...
Read more

How to write “ä” and other umlauts and accented letters in bibliography?Accents in BibTeXSorting references with special characters alphabeticallyUse ae ligature in bibliographyEastern European nameInverted circumflex in BibTexBibTex, non-ascii initials and nameptr fproblems with accent in LatexHow to add a Ø to my bibliography from Jabref?References without accentsTroubles when trying to cite St“omer-Verlet in ”title" field of a bib entryComprehensive list of accented charactersHow to type the letter “i” with two dots (diaeresis) in math mode?Problem with glossary text and accented lettersSpecial character in bibliographyAccented letters, Unicode and LaTeX accentsHow to stop natbib from modifying bibliography styleCitation of a paper with non-standard characters by BibtexWrite accented characters to file using writeHow to group the bibliography alphabetically, if some surnames start with “accented” characters?How can I automatically capitalize significant words in my bibliography?

Image
Information to fellow intern about Hiring? Are tax years 2016 & 2017 back taxes deductible for tax year 2018? Why a const reference doesn't extend the life of temporary object passed via function? Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941? I see my dog run How to avoid repetitive long generic constraints in Rust How can I fix this gap between bookcases I made? What are these boxed doors outside store fronts in New York? How would photo IDs work for shapeshifters? What does "enim et" mean? What is the meaning of "of trouble" in the following sentence? How to determine if window is maximised or minimised from bash script Calculate Levenshtein distance between two strings in Python Why do we use polarized capacitors? How to answer pointed "are you quitting" questioning when I don't want them to suspect Extreme, but not acceptable situation and I can't start the work tomorrow...
Read more

How to remove border form elements in the last row?Targeting flex items on the last rowHow to vertically wrap content with flexbox?Remove border from IFrameCSS3's border-radius property and border-collapse:collapse don't mix. How can I use border-radius to create a collapsed table with rounded corners?Div width 100% minus fixed amount of pixelsBorder around specific rows in a table?How to remove border (outline) around text/input boxes? (Chrome)How do I remove the space between inline-block elements?Flex-box: Align last row to gridRemove blue border from css custom-styled button in ChromeFill remaining vertical space with CSS using display:flexhow style elements in the last row of flexbox row layout with pure css without js

Image
How dangerous is XSS How exploitable/balanced is this homebrew spell: Spell Permanency? In Bayesian inference, why are some terms dropped from the posterior predictive? Should I tell management that I intend to leave due to bad software development practices? Notepad++ delete until colon for every line with replace all Could the museum Saturn V's be refitted for one more flight? files created then deleted at every second in tmp directory How to remove border form elements in the last row? How obscure is the use of 令 in 令和? What is required to make GPS signals available indoors? Car headlights in a world without electricity Do parry bonuses stack? Send out email when Apex Queueable fails and test it How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder? Mathematica command that allows it to read my intentions Is it "common practice in Fourier transform spectroscopy to multiply the measured interf...
Read more