Block Specific Addresses with Windows Firewall

Recently I’ve had periods where my computer or Internet connection seems to bog down. I started looking to see what was happening and found I had a security problem. So, if you use Remote Desktop or have your Windows Login Service exposed to the Internet for other reasons, you should probably read this.

System Explorer History - click to enlarge

System Explorer History – click to enlarge

I’ve heard the news and seen the articles on the Cyber War. I have my firewall and anti-virus, anti-malware, anti-etc… So, I feel pretty safe. But, I do use Windows Firewall in Vista. It is a decent enough firewall even if many do knock it.

But, I kept having periods where my computer got sluggish. Also, recently my Internet connection speed would shift into s l o o o o w motion. So, I started looking to see what was happening.

System Explorer is a free program that gives you good insight into what is happening in the computer. Using it I found several copies of rundll32.exe opening and closing. I also saw that svchost.exe was the task rundll32.exe was running. That is an Internet app… well… network app.

I also saw that svchost.exe was calling LogonUI.exe and winLogon.exe. These are the programs that are used by Windows to verify your logon credentials before granting access. So, someone was trying to logon to my computer.

Looking in System Explorer’s History I saw that the IP address 78.111.8.6 (click to see the address owner) was the source of repeated login attempts. Dang!

A quick look up shows the IP address is assigned to ‘YIKES’ …an ISP in Iran: Neda Rayaneh. A little more digging through the logs and I see what appears to be a brute force attack to login. So, it isn’t a sophisticated Iranian government attack on my computer… if it had been I would probably have already been screwed.

I need to use Remote Desktop when I am away from home. That exposes my machine’s login service to the world. I have a good name and password along with having all other accounts denied remote access. But, I can’t close off the access to the login services and still get in myself.

So, I need to block a range of IP addresses to keep this pest out. A little Google research reveals I need to block 78.111.0.0 to 78.111.15.255. (Reference) Now to get that done.

Windows Firewall Advanced

If you use Windows’ default panels to access the Windows Firewall settings you can’t do much. Turning it on and off is about it. But, there is an ‘Advanced’ side to the firewall since the release of Vista. You just have to know how to get to it.

First try clicking START and typing: Windows Firewall. With any luck you will see an entry come up for: Windows Firewall with Advanced Security on Local Computer. If that comes up, open it.

You might also find it in the Control Panel in Administrative Tools.

If you do not find it, you can add it to your system. It is there, you just have to make it accessible. To do so follow these steps:

  1. Open START and click RUN…
  2. Type in mmc.exe and press Enter.
  3. In the Console panel’s menu click: File -> Add/Remove Snap-in…
  4. Look through the list for: Windows Firewall with Advanced Security on Local Computer.
  5. Click ADD and OK.

You now have access to Windows Firewall advanced settings. It has everything most firewalls have. You can save this setup so it will always be easily available. (File -> Save As…)

If for some reason the Snap-in is not in the list, you can download it.

Gotcha

There is a gotcha when creating rules to block IP addresses. When you go to block an IP address, it is NOT possible to set an IP Address to block while creating the rule. You must create the rule and then EDIT the Properties to set the IP Address. Odd.

Summary

I’ve given you the parts of the process that are hard to find via Google. If you want to learn about the advanced tools see: Windows Firewall with Advanced Security Getting Started Guide. It is written in Microsoft-ese, which I find mostly unintelligible. But, it is the official guide.

I think a bit more readable and understandable is: Study Guide – Configure Windows Firewall. Scroll about half way down to: Introduction to Windows Firewall with Advanced Security.

My computer seems to be running more smoothly.

3 thoughts on “Block Specific Addresses with Windows Firewall

  1. I had a similar problem with a server I have colocated to a data center. It was hit by hundreds of attempts to log into the server coming from a random number of IP addresses from all over the world. So, I needed a more automated process to ban IP numbers. After a long search I found the source code for a Windows service that automatically ban IP addresses. I hacked the code to adapt it to my needs. My IPBan Windows service bans IP addresses after x attempts, keeps track of all the banned IPs, unban the IPs after 1 day (to avoid a permaban on legit IP addresses) and it’s fully configurable. It really helped, the login attempts dropped to a few and are no longer a risk.

  2. That was pretty informative.

    I do not use Remote Desktop, but I do use TeamViewer on remote mode. Is very hard to someone to even guess the name, so is even harder to guess the password since there arent any kind of IP that the person can attempt to connect. Also works nicely with dinamyc IP. In adition it have some really good features for file transfer, reboot PC, etc.. and one of my favorites is that also have an app for Android to control your whole PC and it works really fast in low performance devices.

    As for the firewall, I keep the Windows 7 one plus Comodo Firewall. I starting using ZoneAlarm but it got some bugs with some software like java runtime and others stupid stuff. So I switched to Comodo. Is a really good firewall and you can customize rules without any limit. I think is a good firewall to take a look. I am really happy with it and I have set it to a high security level, so it doesnt just tell you when something tryst to connect to internet or to your PC, but also when an application try to access to keyboard, monitor, registry entries, etc.. Also comes with a little antivirus that fortunately doesnt mess with my actual antivirus (AVG).

    • Teamviewer I did not know about. It seems like an ideal solution for remote control. Thanks. I plan to try it.

Leave a Reply

Your email address will not be published. Required fields are marked *