44

Can I configure the built-in firewall in Windows 7 to ask me if I want to let a program open an outbound connection?

I can disable all outgoing traffic and manually create rules for programs, but I can't find a way of letting the firewall prompt me when a program wants to initiate an outgoing connection.

Gaff
  • 18,569
  • 15
  • 57
  • 68
olafure
  • 925
  • 3
  • 9
  • 10
  • I thought that it had finally been added in WF for Vista/7, but apparently not; it’s still as limited as XP SP2. This makes the WF almost completely useless since most users will still need a third-party firewall.   ◔_◔ – Synetech Feb 24 '13 at 21:17

4 Answers4

29

Try Windows 7 Firewall Control (the free version is good enough). This program is small, works with the Windows Firewall core - but is independent from the Windows Firewall application itself - and will ask you what to do. There is an annoying sound but this can be disabled.

I found that if you turn off the application, all new programs without firewall rules are blocked without notification.

Wayne Johnston
  • 3,538
  • 19
  • 15
tolkin
  • 306
  • 3
  • 3
  • 4
    If there was a way to upvote this 10 times I would. I used to work with Sygate Personal Firewall on XP and it was awesome. Windows Firewall Notifier is doing a great job of stopping outgoing connections for approval – KalenGi Sep 03 '13 at 21:51
  • Upon installation, you have to sit through a few dozen "allow this program?" prompts before you can access any settings. – RomanSt May 04 '14 at 14:59
  • just installed it and tried pinging www.google.com and didn't get any notification and it went through – barlop Jul 29 '15 at 06:50
  • @barlop: Do you remember whether you chose any options during installation? Perhaps the programme needs to be configured first? Or did you stop using it altogether after that? – Cerberus Aug 09 '17 at 21:41
  • @Cerberus I guess I stopped using it after that.. All I recall of it was it was a small program. But if you try it and you get a notification when pinging then i'd be willing to give it another try.. Let me know what happens when you try it – barlop Aug 10 '17 at 01:26
  • @barlop: OK, I will if I ever do. What Firwall did you end up using? By the way, there appear to be two "Windows Firewall Control" programmes, this one and the one below, in another answer. – Cerberus Aug 11 '17 at 01:31
  • @Cerberus I just use whatever one is built into windows. In the past the most other ones i've used has been sygate maybe win98 time or v early winxp time.. like pre 2008 , I really liked that one a lot, it had great monitoring of connections and a great gui generally, but their last free one like that was then, and probably nothing like it since, and as a technical very effective one I tried ipfw on Win XP (though it's not compatible with win7).and even there it was more for playing around, winxp firewall was ok in power and quite simple. – barlop Aug 11 '17 at 02:59
  • @barlop: Ah, OK, that makes sense. I've never actually used a firewall on my computer, but I'm preparing for Windows 10 now. I want to be able to stop Microsoft from phoning home, too... – Cerberus Aug 11 '17 at 03:19
  • @Cerberus If you don't trust your operating system then it's like you're running firewall software on an already compromised system, which is a flawed concept You could use your router's firewall.. many routers have a built in firewall.. But even then, you'd have to know what ports the OS would be using to contact MS. – barlop Aug 11 '17 at 04:50
  • @barlop: That is true: at least in theory, the OS could work around it. But nothing else is practicable: I couldn't find an option to filter traffic in my modem. So doing it from inside the OS is the best I can do...and I'm hoping for security through obscurity: the OS doesn't care about me specifically, and 99.9% of its users won't use the firewall with a whitelist anyway, so it's probably not worth it for Microsoft to create something to work around it. – Cerberus Aug 15 '17 at 01:16
5

It appears that the default Windows 7 firewall does not support a popup which asks you about outbound connections. The only reference I could find about asking on an outbound connection was people saying it can't be done.

ex. http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/bef6e4a7-d43f-4c85-8229-e7be62d59517

If you want a firewall which does ask you every time there is a connection outbound there are a myriad of products which can do this, the most notable (as it's been around forever) is ZoneAlarm.

From a security perspective disabling all outbound traffic except for specific applications (IE, FF, antivirus, etc.) is a much better solution as once it's setup correctly you will rarely have to update it. If you install new programs frequently though this can be labor intensive and the gains not worth the time spent maintaining the list.

Daisetsu
  • 5,881
  • 4
  • 33
  • 44
  • 3
    The problem with that approach is that, if you're constantly installing new software, you have to manually set up rules for every new program. Also, it seems a bit overkill to have to create new rules for temporary software that you're only going to use once or twice. I think a third-party firewall would be the best solution. – Sasha Chedygov Dec 11 '10 at 00:20
  • 1
    @musicfreak I agree. If you were constantly installing or removing software a white list may not be the best tool for the job. On the other hand the majority of users tend to install new programs which require outbound internet access fairly infrequently (at least where it's vital). I will edit my post too include this drawback. – Daisetsu Dec 11 '10 at 00:22
  • 1
    That's true, I'm just saying that I could see the need for such a feature. +1 regardless. – Sasha Chedygov Dec 11 '10 at 00:25
  • Sounds like a good idea, although the number of people who would use it are so limited from Microsoft's point of view it's not likely to happen. – Daisetsu Dec 11 '10 at 00:28
  • `The problem with that approach is that, if you're constantly installing new software, you have to manually set up rules for every new program.`   And worse, it is not always as simple as allowing a single `.exe` file; there may be dependencies and interactions that complicate what accesses the Internet and specifically what needs to be allowed through and unintended side-effects. For example, how would you allow Windows Update to have access? What file would you make a rule for? `svchost.exe`? What about all of the other services that use it? – Synetech Feb 24 '13 at 21:14
5

A much better program is Binisoft's Windows Firewall Control. Its 275kb - and has awesome functions like selecting an apps window to create a rule for example and is incredibly minimal and easy to use. Unlike that app up there which I tried, its ghastly and the free version doesn't allow system processes control.

galacticninja
  • 6,188
  • 16
  • 78
  • 120
Fstarockr
  • 51
  • 1
  • 1
  • So this programme is entirely different from the other Windows Firewall Control? And this one is better? When you compare the features of the paid versions, can this one do things that the other cannot? – Cerberus Aug 09 '17 at 22:12
  • Users are no longer able to 'register' the app. (I contacted them and apparently this is eue to a current company takover). And without registration, notifications are disabled. – Ben Jul 09 '18 at 07:03
3

Good question, but unfortunately, this can't be done with the Windows Firewall. Your only choice if you absolutely need this functionality is to use a third-party firewall. There are plenty of free ones; I recommend Comodo.

Otherwise, Daisetsu is correct: setting up rules is a much better practice from a security standpoint.

Sasha Chedygov
  • 6,939
  • 12
  • 48
  • 55