Restrict Internet Access: Allowlist Apps & Domains

TL;DR

This guide shows you how to block all internet access on a computer except for specific applications and websites. We’ll use the Windows Firewall with Advanced Security, creating rules to allow only what you need and deny everything else.

Steps

1. Understand the Approach

We’re going to create two types of firewall rules:

• Allow Rules: These let specific applications access the internet.
• Block Rule: This blocks all other traffic. It’s important this is created after your allow rules, so it doesn’t prevent them from working.
2. Open Windows Firewall with Advanced Security

There are a few ways to do this:

• Search for “Windows Firewall” in the Start menu and select “Windows Firewall with Advanced Security”.
• Run wf.msc from the Run dialog (press Windows key + R).
3. Create Allow Rules for Applications

For each application you want to allow internet access, follow these steps:

1. In the left pane, click “Outbound Rules”.
2. In the right pane, click “New Rule…”.
3. Select “Program” and click “Next”.
4. Choose “This program path:” and browse to the application’s .exe file. Click “Next”.
5. Select “Allow the connection” and click “Next”.
6. Check all three profiles (Domain, Private, Public) – this ensures the rule applies in any network setting. Click “Next”.
7. Give the rule a descriptive name (e.g., “Allow Chrome”) and click “Finish”.

Repeat these steps for each application.

4. Create Allow Rules for Domains

This is more complex, as Windows Firewall doesn’t directly allow domains. We’ll use PowerShell to create rules based on IP addresses associated with the domain. Note: Domain IPs can change, so these rules may need updating periodically.

1. Open PowerShell as an Administrator (right-click Start menu and select “Windows PowerShell (Admin)”).
2. Use the Resolve-DnsName command to get the IP addresses for your domain. For example, to find IPs for google.com:

   Resolve-DnsName google.com

3. For each IP address returned, create a firewall rule allowing outbound traffic on port 80 (HTTP) and port 443 (HTTPS). Replace [IP Address] with the actual IP address:

   New-NetFirewallRule -DisplayName "Allow Google.com HTTP" -Direction Outbound -RemoteAddress [IP Address] -Protocol TCP -Port 80 -Action Allow

   New-NetFirewallRule -DisplayName "Allow Google.com HTTPS" -Direction Outbound -RemoteAddress [IP Address] -Protocol TCP -Port 443 -Action Allow

Repeat these steps for each domain you want to allow, and for all IP addresses returned by Resolve-DnsName.

5. Create the Block Rule

This rule blocks all other outbound traffic:

1. In Windows Firewall with Advanced Security, click “Outbound Rules”.
2. Click “New Rule…”.
3. Select “Custom” and click “Next”.
4. On the Program page, select “All programs” and click “Next”.
5. On the Protocol and Ports page, leave all options at their defaults (Any protocol, Any port) and click “Next”.
6. On the Scope page, leave all options at their defaults (Any IP address) and click “Next”.
7. Select “Block the connection” and click “Next”.
8. Check all three profiles (Domain, Private, Public). Click “Next”.
9. Give the rule a descriptive name (e.g., “Block All Other Outbound Traffic”) and click “Finish”.
6. Test Your Rules

After creating all rules:

• Verify that allowed applications can access the internet.
• Try to access websites not on your allowlist – they should be blocked.
• If something isn’t working, double-check your rule settings and ensure the block rule is at the bottom of the list (rules are processed in order).