Firewall – Creating a whitelist for RDP access

firewallremote desktopwhitelistwindows-firewallwindows-server-2008

Since people are getting unauthorized access to my Windows Server (bruteforced over several months..), I'd like to set up a whitelist for RDP access.

I have tried the following with Windows Firewall inbound rules:

This still allows other users to connect through RDP. Is there any way to block such unauthorized access through a whitelist?

EDIT: The firewall is enabled, and it's the only firewall running on the machine. Rules like allowing port 80 traffic behave correctly.

Best Answer

Check to make sure that the rule is enabled:

enter image description here

Furthermore, restrict login attempts to five or less before an account is locked out for an hour or more. You can also change your RDP port to lessen the risk from scripted attacks (security through obscurity has gotten a poor reputation that is undue).

Also, choose passwords that are better. A network-borne attack should take theoretical centuries to brute force even a relatively basic password. Consider the use of pass-phrases. twasbrilligandtheslithytoves, halfaleagueonward, or other memorable literary references are all around better than kF4^1*wi.

Related Solutions

Firewall – Allow Only US Traffic (Server 2008 R2)

I think that you need to seriously re-evaluate what you're trying to do if you're concerned about which order your firewall rules are in. This is going to be a complete logistical nightmare. Based on what you've outined, option 3 does sound like the best.

Security – Configure Windows Firewall to block all except for specific traffic

I see there are three policies - public/private/domain. I've been making the same setting changes to each one, though I only have a single NIC and its assigned the domain policy.

As an aside, making changes to the firewall policies for public and private won't have any effect as long as your NIC is still using the Domain network profile.

According to this documentation the allow rules are supposed to take precedence over default rules. I want to set my default rule to block all traffic and only allow certain traffic with allow rules.

You are doing this the hard way. The default policy of the Domain profile implements a default deny ingress policy and a default allow egress (i.e, Inbound connections are blocked and Outbound connections are allowed.) If you've changed these defaults you can set them back in the Windows Firewall Properties dialog.

Then to enable ICMP traffic enable the following two allow rules:

   File and Printer Sharing (Echo Request - ICMPv4-In)
   File and Printer Sharing (Echo Request - ICMPv6-In)

Best Answer

Related Solutions

Firewall – Allow Only US Traffic (Server 2008 R2)

Security – Configure Windows Firewall to block all except for specific traffic

Related Topic