App Packages in Windows Firewall with Advanced Security - Where is the documentation? RRS feed

  • Question

  • I am trying to find out about how Store App firewall rules work.  I understand how 'ordinary,' program based rules work.

    (1) General. The firewall rules for Windows Store apps, on the other hand, do not reference a particular program.  So, how do I tell from the rule exactly 'what' is being authorized by the rule?  I cannot find the documentation that explains this.  If such documentation exists, could someone please provide a link to it or otherwise provide an explanation?

    Specific questions:

    (2) Which program(s) are authorized by an 'App Package', Windows Store app firewall rule and how does that authorization work?

    (3) How do I resolve certain firewall rule fields, such as the rule name field and the group field which are the two main fields of interest.  For example:

    Rulename: @{Microsoft.BingFinance_3.0.1.174_x64__8wekyb3d8bbwe?ms-resource://Microsoft.BingFinance/resources/AppTitle}

    How do I interpret that?  the prefix '@' character very strongly suggests that the name is to be acquired, much like names and groups for 'ordinary' rules are gotten from the resource of the main firewall dll file, which is easy to understand and implement.  I cannot, however, figure out how to resolve the example, above.

    Even the wf.msc MMC snap-in (Windows Firewall with Advanced Security) doesn't resolve this.  But it sure looks like it should.  The '@' lead-in is a dead giveaway.

    Other windows store app rules do resolve this type of '@' reference, like 'Microsoft Solitaire Collection' just to cite one example.

    Any light you can shed on this will be greatly appreciated.

    Thank you in advance!

    Charles S. Cotton

    Thursday, April 10, 2014 5:30 PM

All replies

  • Modern Apps (App Packages) are filtered only @ the ALE layers of WFP.  This means it is not a packet by packet inspection of the traffic, but rather the initial send / receive / handshake negotiation that is being authorized.

    Every App Package has a SID, and that SID is what is used for the filtering condition for modern apps.  Generally a package only has 1 app associated with it.  But any app within the package is bound by the rule(s) that apply to that package.

    In addition to the App Package, other conditions can also be applied to further scope the rule being set (USER_ID, PROTOCOL, etc.).

    You can use NetSh WFP Show State to see how the Windows Firewall Rules are implemented as WFP objects.

    As for the name, You can tell exactly which Modern App it is from the resource string (In this case Bing Finance)

    Hope this helps

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Thursday, April 10, 2014 11:46 PM
  • Thanks, Dusty, for responding.

    Although I know where to look for the resource string (in the dll or exe file) in a retro (desktop) app, I have no clue where to find it in a non-retro (modern) app.  I'm not a metro app programmer, nor am I likely to become one any time soon.  (Please forgive me for using the 'M' word.)

    This 'App Package' type of rule creates another situation which I don't know how to resolve.  I'm talking outbound rules only here for the purpose of this discussion.

    The issue: two or more rules with the same name.  This is, most unfortunately, allowed by Windows Firewall with Advanced Security.  Why do I say it is unfortunate?  It, of course, makes it impossible to uniquely identify rules by name in those cases where more than one rule exists with the same name.

    Take the rule(s) named 'Skype' as an example.  I have two of them in my firewall rules table, one for each of the two users I have on my computer.

    The problem is with the INetFwRules interface, particularly with the INetFwRules::Item and INetFwRules::Remove functions.  As both of these functions take the rule name as the lone parameter, I don't understand how they could ever work correctly for a rule like Skype.

    I hope I am missing something here, but for now, I don't know how to, using the INetFwRules Item and Remove functions, correctly remove or obtain an INetFwRule(2,3) interface for these 'Skype' rules.

    This is not limited to the Skype rules.  It is a problem with all of the rules for metro apps (oops, I did it again) because for each of them a rule will be created for each user on the system.  Is this really a better, improved, way of defining firewall rules?

    At any rate, I don't know how to programmatically delete a rule by name if more than one rule exists with the name in question, short of removing it directly from the rules store in the registry, which I really, really, REALLY would like to avoid.

    Again, thanks in advance for your help.

    Charles S. Cotton

    Friday, April 11, 2014 2:18 PM