Most of the time we want our applications online and connected to both our local network and the greater Internet. There are instances, however, when we want to prevent an application from connecting to the Internet. Read on as we show you how to lock down an application via the Windows Firewall.
Why Do I Want To Do This?
Some of you might have been sold immediately by the headline, as blocking an application is exactly what you've been wanting to do. Others may have opened this tutorial curious as to why one would block an application in the first place.
Although you generally want your applications to have free access to the network (after all what good is a web browser that can't reach the web) there are a variety of situations in which you may wish to prevent an application from accessing the network.
Some simple and commonplace examples are as follows. You might have an application that insists on automatically updating itself, but find that those updates break some functionality and you want to stop them. You might have a video game that you're comfortable with your child playing, but you're not so comfortable with the online (and unsupervised) multiplayer elements. You might be using an application with really obnoxious ads that can be silenced by cutting off the application's Internet access.
Regardless of why you want to drop the cone of network connectivity silence over a given application, a trip into the guts of the Windows Firewall is an easy way to do so. Let's take a look at how to block an application from accessing the local network and Internet now.
Creating a Windows Firewall Rule
Although we'll be demonstrating this trick on Windows 10, the basic layout and premise has remained largely unchanged over the years and you can easily adapt this tutorial to earlier versions of Windows.
To create a Window Firewall rule, you first need to open up the advanced Firewall interface, which is named, appropriately enough, Windows Firewall with Advanced Security. To do so navigate to the Control Panel and select "Windows Firewall." In the "Windows Firewall" window, click the "Advanced Settings" link on the left.
Note: There is a lot going on in the advanced interface and we encourage you follow along closely, leaving anything outside the scope of the tutorial and your experience level alone. Mucking up your firewall rules is a surefire way to a big headache.
In the far left navigation pane, click the "Outbound Rules" link This displays all the existing outbound firewall rules in the middle pane. Don't be surprised that it is already populated with dozens and dozens of Windows-generated entries.
In the far right pane, click "New Rule" to create a new rule for outbound traffic.
In the "New Outbound Rule Wizard," confirm that the "Program" option is selected, and then click the "Next" button.
On the "Program" screen, select the "This program path" option, and then type (or browse for) the path to the program you want to block. For the purposes of this tutorial, we're going to block a portable copy of the Maxthon web browser---mostly because it will be easy to demonstrate to you that the browser is blocked. But, don't click "Next" just yet.
There's an important change you need to make before you continue. Trust us on this. If you skip this step you'll end up frustrated.
When you use the "Browse" command to select an EXE file, Windows defaults to using what are known as environmental variables if the particular path includes a given path portion represented by one of those variables. For example, instead of inserting
C:\Users\Steve\,
it will swap that portion for the environmental variable
%USERPROFILE%
.
For some reason, despite the fact that this is the default way it populated the program path field, it will break the firewall rule. If the file you have browsed to is anywhere that uses an environmental variable (like the
/User/
path or the
/Program Files/
path), you have to manually edit the program path entry to remove the variable and replace it with the correct and full file path. In case that's a tad confusing let us illustrate with our example program from above.
When we browsed to the EXE file for our Maxthon web browser, Windows plugged in the following program path information for the file, which was located in our Documents folder:
%USERPROFILE%\Documents\MaxthonPortable\App\Maxthon\Bin\Maxthon.exe
That file path is understood by Windows, but for some reason is no longer recognized when inserted into a firewall rule. Instead, we need to replace the file path that includes the environmental variable with the full file path. In our case it looks like this:
C:\Users\Jason\Documents\MaxthonPortable\App\Maxthon\Bin\Maxthon.exe
It's possible this is some quirk isolated to the current version of the Windows 10 firewall, and that you can use environmental variables in other versions, but we'd encourage you to just remove the variable and use the full and absolute file path to save yourself a headache today and down the road.
Finally, there's one small but important thing to keep in mind here. For most applications, the main EXE file is the one you want to block, but there are examples of applications where things are a bit counter-intuitive. Take Minecraft, for example. At first glance it seems like you should block Minecraft.exe , but Minecraft.exe is actually just the launcher file and the actual network connectivity happens through Java. So, if you want to restrict your child from connecting to online Minecraft servers you need to block Javaw.exe and not Minecraft.exe . That's atypical, though, as most applications can be blocked through the main executable.
At any rate, once you've selected your application and confirmed the path, you can finally click that "Next" button. On the "Action" screen of the wizard, select the "Block the connection" option, and then click "Next."
On the "Profile" screen, you're asked to select when the rule applies. Here, you have three options:
- Domain: The rule applies when a computer is connected to a domain.
- Private: The rule applies when a computer is connected to a private network, such as your home or small business network.
- Public: The rule applies when a computer is connected to a public network, such as at a coffee shop or hotel.
So, for example, if you have a laptop that you use at home (a network you've defined as private) and at a coffee shop (a network you've defined as public) and you want the rule to apply to both places, you need to check both options. If you want the rule only to apply when you're at the public Wi-Fi spot at the coffee shop, then just check Public. When in doubt, just check them all to block the application across all networks. When you've made your selection click "Next".
The final step is to name your rule. Give it a clear name you'll recognize later on. We named ours, simply, "Maxathon Block" to indicate which application we're blocking. If you want, you can add a fuller description. When you've filled the appropriate information in, click the "Finish" button.
You'll now have an entry at the top of the "Outbound Rules" list for your new rule. If your goal was blanket blocking you're all done. If you want to tweak and refine the rule you can double click on the entry and make adjustments---like adding local exceptions (e.g. the application can't access the Internet but it can connect so another PC on your network so you can use a network resource or the like).
At this point we've achieved the goal outlined in the title of this article: all outbound communication from the application in question is now cut off. If you want to further tighten the grip you have on the application you can select the "Inbound Rules" option in right hand navigation panel of the "Windows Firewall with Advanced Security" and repeat the process, step for step, recreating an identical firewall rule that governs inbound traffic for that application too.
Testing the Rule
Now that the rule is active it's time to fire up the application in question and test it. Our test application was the Maxthon web browser. Practically speaking, and for obvious reasons, it's not super useful to block your web browser from accessing the Internet. But, it does serve as a useful example, because we can immediately and clearly demonstrate that the firewall rule is in effect.
