locked
Filtering by service name RRS feed

  • Question

  • I would like to make WFP filter with Win32 Service name as condition. This seems to work fine for some services e.g. Windows Update. However, if I create filter that sould block 'Print Spooler' service traffic, printing to network printer still succeeds. Results are same for the filter created programmatically or through Windows Firewall UI. For the printing case, using application path (%SystemRoot%\system32\spoolsv.exe) as filter condition works. But in same use cases using service name would be more convenient.

    Below is my filter. Any idea what I am doing wrong?

    C:\Windows\System32>sc showsid Spooler

    NAME: Spooler
    SERVICE SID: S-1-5-80-3951239711-1671533544-1416304335-3763227691-3930497994


    						<filterKey>{55fd92b4-d442-4d91-9a04-0359c8ae8c30}</filterKey>
    						<displayData>
    							<name>block spooler</name>
    							<description/>
    						</displayData>
    						<flags/>
    						<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
    						<providerData>
    							<data>7135000000000000</data>
    							<asString>q5......</asString>
    						</providerData>
    						<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
    						<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
    						<weight>
    							<type>FWP_UINT8</type>
    							<uint8>10</uint8>
    						</weight>
    						<filterCondition numItems="1">
    							<item>
    								<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
    								<matchType>FWP_MATCH_EQUAL</matchType>
    								<conditionValue>
    									<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
    									<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-3951239711-1671533544-1416304335-3763227691-3930497994)</sd>
    								</conditionValue>
    							</item>
    						</filterCondition>
    						<action>
    							<type>FWP_ACTION_BLOCK</type>
    							<filterType/>
    						</action>
    						<rawContext>0</rawContext>
    						<reserved/>
    						<filterId>608548</filterId>
    						<effectiveWeight>
    							<type>FWP_UINT64</type>
    							<uint64>11529215114787946496</uint64>
    						</effectiveWeight>
    

    -- Antti

    Tuesday, April 3, 2012 7:43 AM

All replies

  • You need to use sc.exe qsidtype <serviceName>.  If the SERVICE_SID_TYPE is NONE, then the sid will not be present in the service's process token.

    This is from Win8:

       C:\>sc qsidtype spooler
       [SC] QueryServiceConfig2 SUCCESS

       SERVICE_NAME: spooler
       SERVICE_SID_TYPE:  UNRESTRICTED

    This is from Win7:

       [SC] QueryServiceConfig2 SUCCESS

       SERVICE_NAME: spooler
       SERVICE_SID_TYPE:  UNRESTRICTED

    Which OS are you using?


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, April 5, 2012 5:13 PM
    Moderator
  • I have tried this mainly on Windows 7. I tested this on Windows 8 too, with a quick test works same way as in Windows 7.

    I doubt that SERVICE_SID_TYPE is the root cause in this case. SERVICE_SID_TYPE is UNRESTRICTED for both spooler and Windows Update (wuauserv) services. wuauserv can be blocked, spooler can't.

    C:\>sc qsidtype spooler
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: spooler
    SERVICE_SID_TYPE:  UNRESTRICTED

    C:\>sc qsidtype wuauserv
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: wuauserv
    SERVICE_SID_TYPE:  UNRESTRICTED

    -- Antti

    Tuesday, April 10, 2012 12:04 PM
  • Block by service name uses Service SID as filtering condition. There are cases when a service impersonates when it binds to the socket. In such cases, traffic is sent in context of user and SID that is being examined by WFP is the user's SID and not the service SID. Hence block by service name doesnt work. May be this happens in case of spooler svc. For wuauserv, it doesnot impersonate so the rule by service name seems to work.
    Friday, April 13, 2012 11:33 AM
  • I tried with simple Win32 service, running under Local System account, no impersonations, just opening a normal sokcet. WFP didn't block the connection. Process Explorer's TCP/IP tab also shows my service name with the socket.

    Could it be that filtering only works for services running as Network Service account?

    -- Antti

    Wednesday, April 18, 2012 3:08 PM