Windows Firewall: Remote Desktop block action by local policy

Local IP addresses are referring to IP addresses of adapters on the server itself. Let's say you have a multihomed server with 192.168.0.2 and 10.10.10.10. If you specify only 10.10.10.10, the firewall will not consider the rule as matching to the traffic if it hits 192.168.0.2 instead.

Remote IP addresses are the source IP address from which the traffic came from. If you put in 20.20.20.20, then the rule will only apply if the traffic came from that IP address.

In this example, if you wanted to block domain authentication traffic from the adapter with the public IP address, you would specify the public IP address(es) for the local IP, and all remote IP's for the rule set to deny this traffic.

To allow it for the local IP'ed adapter, you would make a rule that specifies the internal IP address for local, and then the range of IP addresses that would include your domain controllers as remote, with an allow rule.

The latter means for "computer -> Remote Settings -> Select Users " populates the specific machines remote desktop users group. By default the remote desktop users group has rights to logon through RDP to the server.

Your GPO method should have worked. Are you sure you didnt have another GPO enforcing a different list of users/groups allowed to logon through terminal services?

I suggest controlling the membership of the remote desktop users through group policies. Group policy preferences makes this easy. See http://support.microsoft.com/kb/943729 for details of the CSE and XMLLite (for 2003) that you need to install on the server you want to RDP into. The create a GPO (or edit an existing one) to add a pre-defined group into all intended server's remote desktop users group using group policy preferences. 1. navigate the computer config/preferences/local users and groups. 2. Add new group 3. choose remote desktop users (builtin) from drop down 4. Choose user/group to be added

Above only sorts remote desktop users group membership.You also need to separately enable RDP on the machine. Enable the "Allow users to connect remotely using remote desktop services" in computer configuration\policies\administrative templates\windows components\remote desktop services\remote desktop session host\connections.

You'll also likely need to enable the firewall rules too. You can use computer configuration\policies\Windows Settings\Security\Windows firewall with advanced security\Windows Firewall with Advanced Security - LDAP://cn={GUID} to enable the relevant profile and use the rule editor to create a rule using pre-defined service for remote desktop. this handles windows 2008 and above.

For 2003, use the computer configuration\policies\administrative templates\network\network connections\windows firewall and then based on relevant profile the exception for remote desktop traffic.