Is this possible with WFP ..... RRS feed

  • Question

  • I am looking at restricting network access for a particular Windows user (or group of users). I would like to be able to prevent all network access OR just prevent the user from transmitting data out over the network but allow them to receive data.

    In addition to this, i would like to be able to detect when network access attempted by the user has been blocked by my software so that i can take appropriate action...

    I would like to be able to get away with just using WFP in user mode but, due to the fact a need notifications, i think i'll need to write a callout driver ... is this correct ?

    How easy will it be to allow/deny data uploads/downloads ? I would imagine this could be quite awkward so, as an alternative, how easy to block 'user initiated network connects' ( eg browser ) but allow all others ?Finally, which particular sample would be best to user as a starting point for this sort of thing ?

    Many thanks, skint


    Thursday, January 2, 2014 1:22 PM


  • Yes you can use WFP for this using the ALE layers. What you want to accomplish after you detect the block, will determine if you need a WFP callout driver.  If it's just informational, or you want to plumb policy after the fact, you can use NetEvents to see the block happened.  If you want to do something like a pop-up which will optionally allow the user, then you will need a callout driver in order to pend the authorization, and possibly inject the packet back into the stack.

    For a sample, you can look at the WFPSampler.  It has just the user-mode blocks for the BASIC_ACTION_BLOCK scenario.  Files you'd be interested in are exe\Scenarios_BasicAction.cpp, exe\HelperFunctions_CommandLine.cpp, and svc\Scenarios_BasicAction.cpp

    If you wish to do something in a callout, you can look at the sys\ClassifyFunctions_PendAuthorizationCallouts.cpp

    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Tuesday, January 21, 2014 2:18 AM